Re: ACLs = string matching

[Tony Earnshaw <tonni@billy.demon.nl>]

man, 14.04.2003 kl. 20.10 skrev Bob Van Cleef:

I can only give hints, since much is unclear.

1. There's nothing wrong with GQ 0.6.0 but 0.7.0b2 is better.
2: I haven't ever used Openldap 2.0.27, I've only ever used 2.1.x
3: I use Evo 1.2.4 as MUA and contact database with Openldap 1.2.17 and
apart from Ximian's foul and incomplete implementation, it works with
simple binds on port 389.

> access to attr=userPassword
>         by self write
>         by dn="cn=Manager,dc=equoria,dc=net" write
>         by anonymous auth
>         by * none

Make the above:

access to "dc=equoria,dc=net"
	attr=userPassword
        by anonymous auth
        by self write

by dn="cn=Manager,dc=equoria,dc=net" write: If you're binding and
authenticating as "cn=Manager,dc=equoria,dc=net" with his password, you
don't have to have this, since you have him as rootdn in slapd.conf.
However, this is a very bad idea in practice; you should have an admin
user with limited rights.

> access to *
>       by self write
>       by * read

Ditto here.

> suffix          "dc=equoria,dc=net"
> suffix          "o=Land of Garg,c=US"
^^^^^^^^
Scrub the second suffix.

> rootdn        "cn=Manager,dc=equoria,dc=net"
> rootpw        {SSHA}[snip]

> But, the only result I get from a write request via GQ is insufficient 
> access...

I don't know how you've configured the server prefs in GQ, so can't
comment. But if you can make ldapsearch, ldapadd and ldapmodify work,
you can make GQ work. Don't know either what you have in the relevant
ldap.conf, what your base or host are.

4: Use log level 128 or 256, which are more relevant to what you want to
see. Especially 256 with a tail -f on slapd.log together with GQ will
tell you more.